We uncovered a recent activity involving the notorious online credit card skimming attack known as Magecart. The attack, facilitated by a new cybercrime group, impacted 201 online campus stores in the United States and Canada.
We started detecting the attacks against multiple campus store websites on April 14, during which the sites were injected with a malicious skimming script (detected by Trend Micro as Trojan.JS.MIRRORTHEIF.AA) at their payment checkout pages. The skimming script can scrape credit card information, as well as personal details entered on the payment page. The stolen information is consequently sent to a remote server. After looking into this attack, we learned that the attackers compromised PrismWeb, which is an e-commerce platform designed for college stores by company PrismRBS, a subsidiary of Nebraska Book Company.